Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of May 2018

New Detection Technique - Win32/TeleGrab

TeleGrab evolved from malware that historically stole browser credentials and text files in the system. New versions target Telegram's desktop application, attempting to steal various cache files and key files to later hijack the Telegram accounts remotely.

The malware appears to target Russian-speaking victims.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Spyware infection, Win32/TeleGrab

New Detection Technique - Muhstik

The Muhstik botnet was first detected in late March, attempting to exploit Drupal vulnerability CVE-2018-7600. According to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.

Muhstik has adapted to include recent GPON router vulnerabilities (CVE-2018-10561 and CVE-2018-10562) as well as JBoss (CVE-2007-1036) and DD-WRT (Web Authentication Bruteforcing).

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Botnet infection, ELF/Muhstik

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

System Compromise, Trojan infection, Banload Downloader CnC

System Compromise, Trojan infection, JS/Javaxs.Loader

System Compromise, Trojan infection, Win32.Agent.unk Dropper

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

Tiggre was originally a malware distributed in the form of a video file, which infected the victim's system to mine cryptocurrencies. The latest update includes Nigelthorn malware, shared as a link to a fake Youtube webpage. The fake webpage requests installation of a Google Chrome extension with credential-stealing capabilities, cryptocurrency mining, and self-propagation through the Facebook profile of the victim.

In order to include the infection in the Google Chrome extension, the attackers copied legitimate extensions and injected the malicious code into them to bypass Google's validation tools.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, Win32/Tiggre

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including: